QOS for Internet Access

lepavelcisco · ‎07-11-2007

HI,

i have never configured QOS.

currently we have T1 for Internet access for about 200 people.

the second T1 is on the way (it is a 2XT1 bundle , waiting for a WIC to arrive to complete migration).

Now i need to allow good Internet browsing experience for the users.

no downloads(via http or p2p programs) no streaming (like Google video or you tube),

some people are allowed to download or watch streaming (but i want to restrict them to some KB per session)

can i restrict http downloads to , let say , 20kbp per session.?

First i need to know if 3Mbit is good to my situation or i need more bandwidth?

if more then how much?

can you help me with the config?

sorry my stupidity in QOS.

guruprasadr · ‎07-11-2007

HI, [Pls Rate if HELPS]

Block Google Chat & Meebo in your Network:

------------------------------------------

ip inspect alert-off

ip inspect name URL_FILTER http java-list 2 urlfilter

ip urlfilter allow-mode on

ip urlfilter cache 5

ip urlfilter exclusive-domain deny chatenabled.mail.google.com

ip urlfilter exclusive-domain deny .meebo.com

ip audit notify log

ip audit po max-events 100

!

interface FastEthernet0/0

ip address x.x.x.x x.x.x.x

ip access-group 101 in

ip inspect URL_FILTER in

speed auto

!

access-list 2 permit any

the above config will block the sites what i have listed & rest all are allowed, because "ip urlfilter allow-mode on" command is mentioned, if this is not mentioned, then it blocks the entire internet traffic. so make sure that you are issuing this command.

Block Traffic using NBAR:

-------------------------

Block specific web sites ?

Block some specific extensions from being downloading ?

Answer:

--------

1st Method:

------------

class-map match-any http

match protocol http url "*www.google.com*"

match protocol http url "*.rar*"

interface fastehternet 0/0

service-policy input drop-http

policy-map drop-http

class http

police 1000000 31250 31250 conform-action drop exceed-action drop violate-action drop

2nd Method:

-----------

class-map match-any http

match protocol http url "*www.google.com*"

match protocol http url "*.rar*"

policy-map mark-http

class http

set dscp 1

interface FastEthernet0/0

service-policy input mark-http

interface Serial1/0.1 point-to-point

ip access-group 101 in

ip access-group 101 out

access-list 103 deny ip any any dscp 1

access-list 103 permit ip any any

Regarding Bandwidth:

--------------------

For the initial period, avail 3 Mbits of Bandwdith & analyse the Usage based on Traffic Pattern, Usage Level during Business Hrs & off-Business Hrs.

Also, Check whether any of your Business involved in the Http Traffic. Then Based on the Study you can go for a Increase of Bandwidth.

Hope i am Informative.

Pls RATE if HELPS

Best Regards,

Guru Prasad R

lepavelcisco · ‎07-12-2007

HI,

Thank for your replay.

how do i address my other issius that i posted, is it possible? like limiting sessions per user or per session to X Kbps?

I am using Nbar and Netflow to monitor my traffic. as it seems most of it is HTTP like 70%-80% the rest is other crap that i need to block some of it

Last week usage resolt of trufic comeing in to my NET.

http 9.01 GB 81%

smtp 1.55 GB 14%

https 322.82 MB 3%

ESP_App 81.46 MB 1%

TCP_App 71.73 MB 1%

domain 57.98 MB 1%

pop3 3.52 MB <1%

UDP_App 2.6 MB <1%

ssh 831.62 KB <1%

icmp 367.75 KB <1%

ms-sql-m 209.67 KB <1%

netmeeting 175.24 KB <1%

isakmp 104.64 KB <1%

epmap 28.45 KB <1%

ftp 19.14 KB <1%

netbios-ssn 16.45 KB <1%

netbios-ns 16.06 KB <1%

ms-sql-s 13.1 KB <1%

hosts2-ns 9.0 KB <1%

microsoft-ds 6.52 KB <1%

imap 5.63 KB <1%

cadlock2 4.5 KB <1%

auth 2.83 KB <1%

X11 2.52 KB <1%

tcpmux 1.9 KB <1%

compressnet 1.52 KB <1%

mysql 1.08 KB <1%

this is NBAR resolt :

FastEthernet0/0

Input Output

----- ------

Protocol 30sec Bit Rate (bps) 30sec Bit Rate (bps)

------------------------ ------------------------ ------------------------

http 154000 0

smtp 84000 0

secure-http 8000 0

dns 4000 0

telnet 2000 0

ssh 1000 0

snmp 0 0

ipsec 0 0

h323 0 0

pop3 0 0

unknown 28000 0

Total 281000 0

now i want to:

1. block some trafic that i do not need?

2.i want to give some trafic more priority the other.

3.limit some trafic to let say 10Kbps.

4.limit some of the users sessions to ,lets say , 20 KBPS per session.

4.how can i analyze my http trafic to impliment steps 1-4 on my http Trafic.

thanks.

vinay_verma80 · ‎07-15-2007

hi

use the same nbar for blocking these protocols

eg

in global mode>>>>>>>

class match http

match protocol http ---- their are other nabar for specifc protocols

policy map limiting

class http

bandwidth 80

in wan interface mode >>>>>>>>>>

bandwidth < ur exact interface B.w>

service police out limiting

:-)

plz rate thsi if u like

regards

lepavelcisco · ‎07-16-2007

hi can you give a more detailed example?

"policy map limiting

class http

bandwidth 80

"

is that limit all my http trafic to 80 Kbp or is it limit the http trafic to 80 Kbp per session?

vinay_verma80 · ‎07-19-2007

that is limiting the whole traffic to 80kbps if their is congesition on the outgoing interface , if their is no congestion on out going interface( serial i suppose) it can take more B.w till ur interface B.w

if u wnat that ur http tarffic should not go above 80 kbp even through u have no congestion us " priority 80 kbps"

that limit the b.w to 80 kbps max

regards

alvaroadp · ‎07-19-2007

If all you have is 2xT1, I would get a Linksys router WRT54g, hack it with OpenWRT and put it between your LAN and your Cisco Router. It does all you want, and cost peanuts. Beware that OpenWRT will have you out of warranty...

Pavel Bykov · ‎07-21-2007

There is no straight way to limit traffic per session.

You would have to apply QoS on every port of every switch where PCs that access internet connect, and limit it there.

Bandwidth management is PER-CLASS, not PER-FLOW. Whatever falls into the class, will be limited to what you configured.

Pavel Bykov · ‎07-21-2007

Also, T1 is not that great for internet since it's symmetric.

Internet traffic is very asymmetric, with around 80-90% download and 10-20% upload. So the rest of UP bandwidth is not being used.

With modern websites being really large, your connection of 3Mbps for 200 users is just enough. But it also depends how much their work relies on Internet.

a.cruea1980 · ‎07-23-2007

In my opinion, if you want to restrict on a per-session basis, and you're worried about bandwidth used, try a proxy server instead, and block TCP port 80 from going out on all your clients that way they HAVE to hook up to your proxy. You can specify proxies to use via either DHCP or GPO without having to do TOO much user interaction.

That would be my suggestion. I'm sure you'll watch your bandwidth usage drop a decent amount, too.